CVE-2024-39863

CWE-79 — Cross-site Scripting (XSS)CWE-745 documents4 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 44.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedJul 17

Description

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDapache/airflow< 2.9.3

▶PyPIapache-airflow< 2.9.3

▶CVEListV5apache_software_foundation/apache_airflow< 2.9.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-39863: Apache Airflow versions before 2↗2024-07-17

▶

GHSA

Apache Airflow Potential Cross-site Scripting Vulnerability↗2024-07-17

▶

CVEList

Apache Airflow: Potential XSS Vulnerability↗2024-07-17

▶

OSV

Apache Airflow Potential Cross-site Scripting Vulnerability↗2024-07-17

▶